4 Answers
4

Flooding the CAM table to force the switch to fall back to hub behavior (broadcasting all packets to all ports) is an "attack" only if you consider the normal switch behavior (sending the packet only on the "right" link) to be a security feature -- which it is not. Switches are an optimization, not a protection. Unfortunately, the idea that "switches protect against snooping" is widespread (but wrong).

Besides flooding, other kinds of "attacks" include sending packets with a framed MAC address, so that packets meant for a given host are misrouted. Such "attacks" will work on all switches, because they just exercise the job that the switch is meant to perform (some switches can be configured to maintain a static list of MAC-to-port translations and at least raise a warning flag in that case, but this is an orthogonal issue -- some switches incorporate all kinds of firewalling and filtering and may have an IP address themselves, and can generally be thought as a merge between a switch and an host).

Some still may be susceptible to a fail state of 'broadcast to all ports' when the CAM table is full, but that is by design in some cases as the most common alternative is to stop passing packets - effectivey the attack changes from a breach of traffic control to a denial of service.

"The intent of the MAC Address Overflow attack is for the attacker to be able to overrun the Cisco Catalyst 6509E switches Content-Addressable Memory (CAM) table. This will force packets for all new flows to be flooded out all ports, allowing the attacker to monitor (sniff) incoming packets."

Most managed switches can operate in a non promiscuous mode and with a specific MAC bound to a specific port on the switch. Once configured this way the CAM won't be attack-able and so the switch will never degrade to a hub.